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© Transaction authentication system. 



© A transaction authentication system comprises a 
terminal (9, 20), a first memory (12, 18) and an IC 
card (1, 21, 51) which is detachabiy loaded into the 
terminal. The terminal supplies at least a transaction 
data which is related to a transaction and a des- 
ignated storage region in a second memory (3, 4. 
31 , 32. 58, 59, 60) for storing the transaction data to 
the IC card when the IC card makes an access to a 
service via the terminal. A second processor (30, 54) 
of the IC card writes the transaction data received 
from the terminal in the designated storage region of 
2 the second memory and generates a verified data 
^ which is renewed every time the transaction data is 
^ written into the second memory. The verified data 
tMhas a value in conformance with a predetermined 
^generating algorithm and is stored in the second 
CO memory and also supplied to the terminal. A first 
J§ processor (10, 11) of the terminal generates a trans- 
action historical information which includes at least 
©the designated storage region, the transaction data 
Q^and the verified data and stores the transaction his- 
UJtoricai information in the first memory, so that a 
transaction is authenticatable from a correspondence 
of the verified data stored in the first memory and 



the verified data stored in the second memory. 
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TRANSACTION AUTHENTICATION SYSTEM 



BACKGROUND OF THE INVENTION 

The present invention generally relates to 
transaction authentication systems, and more par- 
ticularly to a transaction authentication system 
which authenticates a transaction which uses an 
integrated circuit (IC) card after the transaction is 
made. 

Presently, transactions using cards are popular 
due to their convenience. But on the other hand, 
illegal use of such cards is increasing and it is 
becoming more and more important to authenticate 
the transactions. 

Conventionally, when authenticating a transac- 
tion which uses a magnetic stripe card f a verified 
data is generated within a terminal device in con- 
formance with a predetermined algorithm and is 
added to a transaction data. The uniqueness of the 
data is used when discriminating whether or not the 
transaction is correctly performed. 

For example, the magnetic stripe card is load- 
ed on a point-of-sales (POS) terminal or the like 
when using a credit service. Prior to making a 
transaction, a check is made to prevent illegal use 
of the magnetic stripe card. For example, a per- 
sonal identification number (PIN) is entered by the 
user and the POS terminal discriminates whether 
or not the entered PIN corresponds with a PIN 
which is prerecorded on the magnetic stripe card, 
and the POS terminal discriminates whether or not 
the use of the magnetic stripe card on the POS 
terminal is permitted based* on a terminal confirma- 
tion code. After it is discriminated that the PIN 
entered by the user corresponds with the PIN 
prerecorded on the magnetic stripe card and that 
the use of the magnetic stripe card is permitted on 
the POS terminal, the POS terminal adds verified 
data to the transaction data and temporarily stores 
the data on a recording medium. The verified data 
is generated within the POS terminal in confor- 
mance with a predetermined algorithm. For exam- 
ple, the recording medium is a flexible disc. After 
the transaction ends, a transaction historical in- 
formation is transferred to a host computer within 
an operation center or the like by a batch data 
transmission. 

The character of the verified data differs from 
that of the PIN in that the user is unaware of the 
existence of the verified data and the verified data 
is not used for prohibiting" the transaction. Nor- 
mally, a check is made after the transaction is 
made to determine whether or not the value of the 
verified data is in conformance with the generating 
algorithm so as to discriminate whether or not the 
transaction made was legitimate. 
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However, a person who is familiar with the 
operations and functions of the POS terminal may 
easily decode a program for generating the verified 
data. Furthermore, a person who somehow finds 

5 out the generating algorithm for generating the 
verified data may easily and freely operate the 
POS terminal without using a magnetic stripe card. 
Such persons can make an illegal transaction by 
fabricating or altering the transaction data and the 

to verified data. When making the illegal transaction, 
such persons can easily make the verified data 
which is added to the illegal transaction data take a 
value in conformance with the generating algorithm, 
and in this case, it is impossible to find out that an 

75 illegal transaction was made. An integrated circuit 
(IC) card also suffers a similar problem because 
the verified data is generated and added to the 
transaction data within the terminal. 

20 

SUMMARY OF THE INVENTION 

Accordingly, it is a general object of the 
present invention to provide a novel and useful 

25 transaction authentication system in which the 
problems described, above are eliminated. 

Another and more specific object of the 
present invention is to provide a transaction au- 
thentication system comprising terminal means 

ao comprising first processing means and a card 
reader/writer, first memory means, and an inte- 
grated circuit card which is detachably loaded into 
the card reader/writer and comprises second pro- 
cessing means and second memory means. The 

35 terminal means supplies at (east a transaction data 
which is related to a transaction and a designated 
storage region in the second memory means for 
storing the transaction data to the integrated circuit 
card when the integrated circuit card makes an 

40 access to a service via the terminal means. The 
second processing means of the integrated circuit 
card writes the transaction data received from the 
terminal means in the designated storage region of 
the second memory means and generates a veri- 

45 fied data which is renewed every time the transac- 
tion data is written into the second memory. The 
verified data has a value in conformance with a 
predetermined generating algorithm and is stored 
in the second memory means and also supplied to 

50 the terminal means. The first processing means of 
the terminal means generates a transaction histori- 
cal information which includes at least the des- 
ignated storage region, the transaction data and the 
verified data and stores the transaction historical 
information in the first memory means, thereby a 
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transaction being authenticetable from a correspon- 
cidertcerof tne tvenfied data stored in the first mem- 
^ dry 'means ?and : the verified data stored in the 
^fsecondrmemorY means. According to the transac- 
tion, authentication system of the present invention, 
prthe verified clata which is unique for each transac- 
tion is stored within the integrated circuit card and 
-n is also supplied to the terminal means to be stored 
f :in the first memory means. Hence, it is possible to 
. authenticate the transaction by verifying the verified 
data stored within the integrated circuit card and 
the first memory means. The verified data cannot 
be fabricated or altered even by a person who is 
familiar with the programs of the terminal means, 
and the reliability of the integrated circuit card is 
greatly improved compared to the conventional 
case because illegal transactions can easily be 
found. 

Other objects and further features of the 
present invention will be apparent from the follow- 
ing detailed description when read in conjunction 
with the accompanying drawings. 



BRIEF DESCRIPTION OF THE DRAWINGS 

F1G.1 is a system block diagram for explain- 
ing an operating principle of a transaction authen- 
tication system according to the present invention; 

FIG.2 is a system block diagram showing a 
first embodiment of the transaction authentication 
system according to the present invention; 

FIG.3 is a system block diagram showing an 
embodiment of an IC card used in the first embodi- 
ment 

FIGS.4A and 48 respectively- are a perspec- 
tive view and a system block diagram for explain- 
ing the embodiment of the IC card shown in FIG.3 
in more detail; and 

FIG.5 is a system block diagram showing an 
embodiment of an IC card used in a second em- 
bodiment of the transaction authentication system 
according to the present invention; 

F1GS.6A, 6B and 6C respectively are flow 
charts for explaining an operation of a central pro- 
cessing unit of the IC card shown in FIG.5; and 

F1G.7 is a side view in cross section gen- 
erally showing an embodiment of a card 
reader/writer which is used in the second embodi- 
ment. 

DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

First, a description will be given of an operating 
principle of a transaction authentication system ac- 
cording to the present invention, by referring to 
FIG.1. The transaction authentication system gen- 



erally comprises an IC card 1 . a terminal 9. and a 
memory device 12. The IC card 1 comprises a 
processor 2, a first memory 3 which prestores a 
plurality of processing means (or programs) for 
5 operating the processor 2, and a second memory 4 
which stores a transaction data which is processed 
by the operation of the processor 2. When making 
a transaction using the IC card 1, the transaction 
authentication system starts the transaction after 
10 authenticating a specific information which is stored 
in the IC card 1. The second memory 4 includes 
transaction data storage regions 8 which are re- 
spectively designated for each transaction and stor- 
age regions 27 which respectively store a transac- 
ts tion execution identifying information for each 
transaction in correspondence with a transaction 
data storage region 8. The processor 2 includes a 
write means 5 for designating the transaction data 
storage region 8 and for storing a transaction data 
20 therein, a verified data generating means 6 for 
generating a verified data for a transaction based 
on the transaction execution identifying information, 
and a renewing means 7 for renewing the transac- 
tion execution identifying information within the 
25 storage region 27 every time the transaction data is 
received. 

The IC card 1 is loaded into the terminal 9 
which can read and write information with respect 
to the IC card 1. The terminal 9 comprises a 
30 transaction processing means 10 for executing a 
transaction after the specific information of the IC 
card 1 is confirmed, and a transaction historical 
information generating means 11 for generating a 
transaction historical information in which a transac- 
35 tion data is added with a verified data which is read 
from the IC card 1 and an information which des- 
ignates the transaction data storage region 8 for 
each transaction. The memory device 12 stores the 
transaction historical information which is received 
40 from the terminal 9. 

The transaction is made as follows. That is. 
when the IC card 1 is loaded into the terminal 9, 
the terminal 9 reads a card identification informa- 
tion (for example, a card name) from the IC card 1 
45 via a route which is not shown in F1G.1 and starts 
the transaction if the PIN can be confirmed. A 
transaction data which is obtained by the start of 
the transaction is output from the transaction pro- 
cessing means 10. The transaction data and an 
so address data which designates a write address 
within the IC card 1 are supplied to the transaction 
historical information generating means 11 within 
the terminal 9 and the write means 7 and the 
renewing means 7 within the IC card 1 . 
55 The write means 5 writes the received transac- 

tion data at a designated address of the transaction 
data storage region 8 of the second memory 4. 
The renewing means 7 reads the transaction ex- 
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ecution identifying information from an address of 
the storage region 27 set depending on the des- 
ignated address, and renews the value of the trans- 
action execution identifying information for every 
transaction. The renewed transaction execution 
identifying information is written into the storage 
region 27 and the renewing means 7 supplies to 
the verified data generating means 6 an information 
which designates the region into which the re- 
newed transaction execution identifying information 
is written. 

The verified data generating means 6 uses the 
information which is received from the renewing 
means 7 to read out the renewed transaction ex- 
ecution identifying information from the storage re- 
gion 27 and to generate the verified data. This 
verified data is supplied to the transaction historical 
information generating means 11 within the termi- 
nal 9. 

The transaction historical information generat- 
ing means 1 1 receives the verified data, the trans- 
action data from the transaction processing means 
10 and the information for designating the region 
within the IC card 1. The transaction historical 
information generating means 1 1 generates a trans- 
action historical information which includes at least 
these three kinds of data and supplies the transac- 
tion historical information to the memory device 12. 

Accordingly, when the transaction historical in- 
formation is generated within the terminal 9 without 
the use of the IC card 1, the value of the verified 
data of the IC card 1 is no longer in conformance 
with the generating algorithm. Even when the trans- 
action is made, the value of the verified data in- 
cluded in the transaction historical information 
which is stored in the memory device 12 after the 
transaction is different from the value of the verified 
data which is generated from the transaction ex- 
ecution identifying information which is renewed for 
every transaction and is stored in the second mem- 
ory 4 of the IC card 1. 

Next, a description will be given of a first 
embodiment of the transaction authentication sys- 
tem according to the present invention, by referring 
to FIG .2. In FIG.2, those parts which are basically 
the same as those corresponding parts in F1G.1 are 
designated by the same reference numerals, and a 
description thereof will be omitted. In FIG.2, a POS 
terminal 20 corresponds to the terminal 9 shown in 
FIG.1, and an IC card 21 corresponds to the IC 
card 1 shown in FIG.1. 

RG.3 shows an embodiment of the IC card 21. 
In FIG.3, those parts, which are basically the same 
as those corresponding parts in RG.1 are des- 
ignated by the same reference numerals, and a 
description thereof will be omitted. The processor 2 
of the IC card 21 comprises the first memory 3, the 
second memory 4, the write means 5, an adder 
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means 24, a serial number generating msans 25 
and a serial number informing- means, 26. The 
adder means 24, the serial number generating 
means 25 and the serial number informing means 
s 26 correspond to the verified data generating 
means 6 and the renewing means 7. 

When the IC card 21 receives a write com- 
mand from the POS terminal 20 and the transaction 
data which is included within the parameter of the 
10 write command as the write data, the write means 
5 of the processor 2 stores the transaction data into 
the transaction data storage region 8 of the second 
memory 4. On the other hand, when storing the 
transaction data, the adder means 24 adds a con- 
15 stant value to an initial value and the added value 
(serial number) is stored in the storage region 27 of 
the second memory as the transaction execution 
identifying information. The added value is there- 
after supplied to the serial number generating 
20 means 25. 

The. serial number generating means 25 gen- 
erates a serial number as the verified data. In this 
case, the serial number generating means 25 out- 
puts the transaction execution identifying informa- 
25 tion (added value which is a serial number) as it is. 
The transaction execution identifying information 
(serial number) becomes n 0" when forming the 
transaction data storage region 8 and is thereafter 
incremented by one, for example, every time the 
30 transaction data is written. Hence, the transaction 
execution identifying information is for example a 
serial number xi, X2, ... . 

The serial number is returned to the POS ter- 
minal 20 via the serial number informing means 26. 
35 The hardware structure of the IC card 21 itself 

is known. F1GS.4A and 4B respectively are a per- 
spective view and a system block diagram for 
explaining the IC card 21 shown in FIG.3 in more 
detail. The IC card 21 shown in FIGS.4A and 4B 
40 comprises a central processing unit (CPU) 30 
which corresponds to the processor 2, a read only 
memory (ROM) 31 which corresponds to the first 
memory 3, an electrically erasable programmable 
ROM (EEPROM) 32 which corresponds to the sec- 
45 ond memory 4, and contacts 33 for signal 
input/output. 

The CPU 30. the ROM 31 and the EEPROM 32 
which are made up of semiconductor elements 
have extremely small sizes and is capable of mak- 
50 ing complex signal processings and providing large 
memory capacities. For this reason, unlike the 
magnetic stripe card which is limited to a single 
function, the IC card 21 can be used to receive a 
plurality of services with the same card. For exam- 
55 pie, the services may include a credit service, 
deposits and savings services, a hospital service, 
various private club services and the like. In addi- 
tion, even when the IC card 21 is used to receive 

4 



BP 0 363 122 A2 



only, the credit service, for example, the same card 
jq rnay r W*'U^ wth a plurality of 

stores and offices, accounts provided independent-. 
€ ;iy 'for ea£h the stores and offices, accounts in a 
, pli^ality of banks and the like. 
~V^.. ~The * IC card 21 is loaded Into a card 
^.."reader/writer (not shown) which is connected to the 
^ POS terminal 20. The card reader/writer reads from 
the IC card 21 the card identification information 
which identifies the IC card 21, and supplies the 
card identification information to a host computer 
(not shown). The host computer returns to the POS 
terminal a region designating information and the 
like for 20 designating a transaction data storage 
region 8 within the IC card 21 . 

Prior to making the transaction using the IC 
card 21 . a check is made to prevent illegal use of 
the IC card 21 . For example, a personal identifica- 
tion number (PIN) is entered by the user and the 
POS terminal 20 discriminates whether or not the 
entered PIN corresponds with a PIN which is 
prerecorded on the IC card 21 , and the POS termi- 
nal 20 discriminates whether or not the use of the 
IC card 21 on the POS terminal 20 is permitted 
based on a terminal confirmation code. 

Next, a description will be given of an opera- 
tion of the first embodiment by referring to RG.2. 
When the user uses the IC card 21 and purchases 
an item having a price of 200 dollars, for example, 
the operator of the POS terminal 20 loads the IC 
card 21 into the card reader/writer of the POS 
terminal 20 and enters the transaction sum of 200 
dollars into the POS terminal 20. In this case, the 
transaction processing means 10 of the POS termi- 
nal 20 outputs a transaction sum data of 200 dol- 
lars and a transaction date data which includes the 
year, month and date of the transaction. The trans- 
action processing means 10 further designates the 
storage region (area) where the transaction sum 
data and the transaction date data are to be stored. 
Based on the data received from the transaction 
processing means 10, the write means 5 of the IC 
card 21 writes the transaction data (transaction sum 
data and transaction date data) in a designated 
area A of the second memory 4. Then, the serial 
number generating means 25 of the IC card 21 
generates the serial number. This serial number is 
stored in an internal memory and is supplied to the 
POS terminal 20. 

The transaction historical information generat- 
ing means 11 of the POS terminal 20 adds the 
serial number which is received from the IC card 
21 to the transaction data (transaction sum data 
and transaction date data), the card identification 
information (for example, a card ID "CARD001 ") of 
the IC card 21 , and the region designating informa- 
tion (area A in this case), so as to generate a 
unique transaction historical information among the 



plurality of IC cards, a plurality of POS terminals 
and a plurality of transaction data. The transaction 
historical information is written into the memory 
device 12 via a storing means 14. After the trans- 
s action ends, the transaction historical information is 
written into a memory device 18 within a host 
terminal 22 via communication means 15 and 16 
and a storing means 17 by a batch data transmis- 
sion. 

w The transaction is completed in the above de- 

scribed manner. When the transaction is legitimate, 
the serial numbers within the transaction historical 
information stored in the memory devices 12 and 
18 change regularly in conformance with the gen- 

15 erating algorithm. Hence, it is possible to authen- 
ticate the transaction by checking the change in 
the values of the serial numbers. When the trans- 
action is legitimate, the serial number stored in the 
IC card 21 constantly corresponds with the serial 

20 number of the last transaction stored in the mem- 
ory devices 12 and 18. 

For example, the transaction historical informa- 
tion received from the POS terminal 20 may have 
been generated by an illegal user who not only 

25 * knows the PIN but also knows the generating al- 
gorithm for the serial number. Such an illegal user 
can operate the POS terminal 20 and generate the 
transaction .historical information without actually 
using the IC card 21. In this case, it is impossible 

30 to prohibit the illegal transaction itself, however, the 
serial numbers stored in the memory devices 12 
and 18 after the transaction is made become dif- 
ferent from the serial number stored in the IC card 
21. Therefore, it is possible to find out that the 

35 illegal transaction has been made by verifying the 
serial number stored in the IC card 21 and the 
serial numbers stored in the memory devices 12 
and 18, since the stored serial numbers do not 
correspond in the case of the illegal transaction. 

40 In the first embodiment, the serial number is 

used as the verified data. However, it is possible to 
use a function as the verified data In this case, the 
transaction execution identifying information x is 
taken as an argument and the verified data gen- 

45 erating means 6 generates a function F(x). For 
example, the transaction execution identifying in- 
formation x has an initial value xo and is renewed 
for every transaction such that the transaction ex- 
ecution identifying information x has a value x k 
so when a kth transaction is made. 

The function generated by the verified data 
generating means 6 need not necessarily be a 
single argument function and may be a multiple 
argument function, in the case of the multiple ar- 

55 gument function, n arguments (xi , X2, xa Xn) are 

renewed for every transaction. 

The transaction execution identifying informa- 
tion for example has the initial value xo and values 
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Xl . x 2 . xa x k which are calculated for every 

transaction. All of these values of the transaction 
execution identifying information may be stored in 
the storage region 27 of the second memory 4. As 
an alternative, it is also possible to store only the 
final value x k of the transaction execution identify- 
ing information in the storage region 27 of the 
second memory 4. 

Next, a description will be given of a second 
embodiment of the transaction authentication sys- 
tem according to the present invention. FIG.5 
shows an embodiment of the IC card used in the 
second embodiment of the transaction authentica- 
tion system according to the present invention. In 
FIG.5. an IC card 51 comprises a terminal group 
52. an input/output interface 53. a CPU 54. drivers 
55, 56 and 57, a random access memory (RAM) 
58, a ROM 59, an EEPROM 60, and a system bus 
61. 

The terminal group 52 comprises a power 
source terminal Vcc for receiving a power source 
voltage, a ground terminal GND for receiving a 
ground voltage, a reset terminal RST for receiving 
a reset signal, a programming terminal Vpp for 
receiving a programming voltage, a clock terminal 
CLK for receiving a clock signal, and an 
input/output terminal I/O .for inputting and outputting 
serial data. The terminals of the terminal group 52 
other than the input/output terminal I/O are con- 
nected to the CPU 54. The input/output terminal is 
connected to the input/output interface 53. 

The input/output interface 53 converts a serial 
input data into a parallel input data. When a pre- 
determined number of bits of data (for example, 
four to eight bits of data) is received, the 
input/output interface 53 interrupts the CPU 54 by 
sending an interrupt signal. On the other hand, 
when sending a data from the IC card 51 to a 
terminal (not shown), the data is output serially 
from the input/output interface 53 via the 
input/output terminal I/O of the terminal group 52. 
When outputting the data from the IC card 51 , the 
CPU 54 sets a parallel data (for example, eight 
bits) in the inputfoutput interface 53 and the set 
data is automatically output via the input/output 
terminal I/O with a timing determined by the clock 
signal received from the clock terminal CLK. 

The drivers 55. 56 and 57 respectively drive 
the RAM 58, the ROM 59 and the EEPROM 60. 
The input/output interface 53, the CPU 54, the 
drivers 55 through 57, the RAM 58. the ROM 59 
and the EEPROM 60 are coupled by the system 
bus 61. The system bus 61 is made up of an 
address bus 61a. a data bus 61b, and an 
input/output control bus 61c. For example, the ad- 
dress bus 61a and the data bus 61b respectively 
are 8-bit buses. The input/output control bus 61c is 
used for transmitting the clock signal, the ground 



voltage, the power source i voltage^ J^e^ internipt 
signal and the like. ... 

The RAM 58 is used as a work ^areaVfor the 
CPU 54 when making calculations , and the Jike 
5 during the transaction. The ROM 59 stores pro- 
grams of the CPU 54 and corresponds to' the ROM 
31 shown in FIGS.4A and 48. The EEPROJvl 60 
stores the account number, PIN, balance of the 
account, transaction history, final transaction in- 
io formation, transaction historical information and the 
like and corresponds to the EEPROM 32 shown in 
FIGS.4A and 4B. 

The IC card 51 is used on a terminal such as 
the POS terminal 20 described before in conjunc- 
is tion with the first embodiment. 

F1GS.6A, 6B and 6C respectively are flow 
charts for explaining an operation of the CPU 54 of 
the IC card 51 shown in FIG.5. In F1G.6A, when an 
internal process of the IC card S1 is started and a 
20 card ID request is received, a step S1 reads the 
card ID from the EEPROM 60. The read card ID is 
supplied to the terminal and a desired service is 
selected from the terminal. A step S2 reads a 
service name of the selected service from the 
25 ROM 59. A step S3 discriminates whether or not 
the service name is found in the ROM 59. When 
the discrimination* result in the step. S3 is NO. a 
selection error information is supplied to the termi- 
nal. But when the discrimination result in the step 
30 S3 is YES, a step S4 requests authentication to the 
terminal. The terminal then supplies an authen- 
ticate code or key (PIN) which is necessary to 
make the selection, and a step S5 develops the 
authenticate code which corresponds to the se- 
35 lected service from the EEPROM 60 to the RAM 
58. A step S6 develops an error number counter in 
the RAM 58. 

A step S7 discriminates whether or not the 
authenticate code which is received from the termi- 
40 nal corresponds with the authenticate code which is 
developed in the RAM 58. When the discrimination 
result in the step S7 is YES, a step S8 clears the 
error number counter and stores the authenticate 
code in the EEPROM 60. A step S9 stores in the 
45 EEPROM 60 an information which indicates that 
the authentication is ended, and the authentication 
end information is supplied to the terminal and the 
process advances to a step S21 shown in FIG.6B. 
On the other hand, when the discrimination 
so result in the step S7 is NO, a step S10 increments 
the counted value in the error number counter and 
stores the incremented value in the EEPROM 60. A 
step S11 discriminates whether or not the counted 
value in the error number counter is greater than a 
55 predetermined number. When the discrimination 
result in the step S11 is NO, a legitimacy error 
information is supplied to the terminal. But when 
the discrimination result in the step S1 1 is YES, a 
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step S12 sets a lock flag within the EEPROM 60 to 
^an^ON estate and^a locked state information is 
csuppttedcto the;terminal. When the lock flag is ON. 
b the .MC? card 51 -is made unusable for the selected 
Sservice.nand ia locked state information is supplied 
^*o the-ierminal. ;ln other words, the lock flag in- 
dicates whether or not the selected service is ac- 
^ cessible by the IC card 51. 

'! : - As described before, the IC card 51 may be 
-used to receive various services. Hence, it is incon- 
venient if the IC card 51 were made unusable for 
all the services even when only predetermined one 
or more services should actually be made non- 
accessible. Therefore, in actual practice, the error 
number counter is provided for each service and 
the predetermined number used for the compari- 
son in the step S11 is set for each service. In other 
words, a lock flag is provided for each service 
accessible by the IC card 51. For the sake of 
convenience, a description will hereunder be given 
of a case where only one lock flag is provided. 

In HG.6B, a transaction information write com- 
mand including a transaction information and a 
write position within the IC card 51 is received from 
the terminal. A step S21 reads an authentication 
completion information, and a step S22 reads the 
lock flag. A step S23 discriminates whether or not 
the lock flag is ON. When the discrimination result 
in the step S23 is YES. a locked state information 
is supplied to the terminal. On the other hand, 
when the discrimination result in the step S23 is 
NO. a step S24 discriminates whether or not the 
authentication is ended. When the discrimination 
result in the step S24 is NO, an authentication error 
information is supplied to the terminal. When the 
discrimination result in the step S24 is YES. a step 
S25 develops the access qualification information 
of the user in accordance with the authentication 
information from the EEPROM 60 to the RAM 58. 

A step S26 discriminates whether or not the 
user has a right to write information. When the 
discrimination result in the step S26 is NO. an 
access qualification error information is supplied to 
the terminal. But when the discrimination result in 
the step S26 is YES. a step S27 transfers the 
necessary information from the EEPROM 60 to the 
RAM 58 and a step S28 discriminates whether or 
not a designated write position exists. When the 
discrimination result in the step S28 is NO, a 
designation error information is supplied to the 
terminal. On the other hand, when the discrimina- 
tion result in the step S28 is YES. a step S29 
writes the data at the designated write position 
within the RAM 58. A step S30 develops the trans- 
* action serial number from the EEPROM 60 to the 
RAM 58. and a step S31 increments the transac- 
tion serial number in the RAM 58. The process 
then advances to a step S41 shown in FIG.6C. 



In RG.6C, the step S41 by calculation gen- 
erates the verified data in conformance with a 
generating algorithm based on unique numbers 
such as the transaction serial number and the 
5 transaction date. A step S42 stores the verified 
data in the RAM 58. A step S43 discriminates 
whether or not all of the processes are correctly 
ended. When the discrimination result in the step 
S43 is NO. a write error information is supplied to 
ro the terminal. On the other hand, when the discrimi- 
nation result in the step S43 is YES. a step S44 
stores the write information, the verified data and 
the transaction serial number in the EEPROM 60. A 
step S45 discriminates whether or not the data are 
is correctly stored in the EEPROM 60 in the step 
S44. When the discrimination result in the step S45 
is NO, a memory error information is supplied to 
the terminal. When the discrimination result in the 
step S45 is YES, a step S46 assembles the trans- 
20 mitting data and an end information including a 
normal end information and the verified data is 
supplied to the terminal. When a transaction end 
information is received from the terminal, a step 
S47 ends the process by releasing the RAM 58 
25 and the process is ended. 

RG.7 generally shows an embodiment of a 
card reader/writer which is used in the second 
embodiment. Of course a similar card reader/writer 
may be* used in the first embodiment. In FlG.7, a 
30 card reader/writer 70 generally comprises a card 
inserting opening 71, a magnetic head 72, a timing 
belt 73. a card transport path 74, a contact part 75. 
a motor 76. a roller 77, a printed circuit 78 which 
has the CPU 54, the ROM 59 and the like arranged 
35 thereon, and a cover 79 which is indicated by a 
phantom line. 

When the IC card 51 is inserted into the card 
inserting opening 71, the IC card 51 is transported 
along the card transport path 74 by a transport 
40 mechanism to a loaded position where contacts of 
the contact part 75 make contact with the cor- 
responding terminals of the terminal group 52 of 
the IC card 51 . The transport mechanism includes 
the motor 76 which rotates the roller 77 so as to 
45 drive the timing belt 73. 

In this embodiment, the magnetic head 72 is 
provided to read a magnetic stripe of the IC card 
51 . The provision of the magnetic head 72 enables 
the card reader/writer 70 to read the magnetic 
so stripes of both the IC card 51 and the conventional 
magnetic. In other words, there is card interchange- 
ability among the IC cards and the magnetic stripe 
cards. However, it is not essential to provide the 
magnetic head 72 on the card reader/writer 70. in 
55 addition, the card reader/writer 70 may be a part of 
the terminal or be a unit independent of the termi- 
nal. 

Further, the present invention is not limited to 
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these embodiments, but various variations and 
modifications may be made without departing from 
the scope of the present invention. 



Claims 

1 . A transaction authentication system compris- 
ing terminal means (9, 20) comprising first process- 
ing means (10, 11) and a card reader/writer (70); io 
first memory means (12, 18); and an integrated 
circuit card (1, 21, 51) which is detachably loaded 

into said card reader/writer, said integrated circuit 
card comprising second processing means (2, 30, 
54) and second memory means (3, 4, 31, 32, 58, is 
59, 60), characterized in that said terminal means 
(9, 20) supplies at least a transaction data which is 
related to a transaction and a designated storage 
region in said second memory means (3, 4, 31 , 32, 
58, 59, 60) for storing the transaction data to said 20 
integrated circuit card (1, 21, 51) when said in- 
tegrated circuit card makes an access to a service 
via said terminal means; said second processing 
means (2, 30, 54) of said integrated circuit card 
writes the transaction data received from said ter- 2s 
minal means in the designated storage region of 
said second memory means and generates a veri- 
fied data which is renewed every time the transac- 
tion data is written into said second memory, said 
verified data having a value in conformance with a 30 
predetermined generating algorithm, said verified 
data being stored in said second memory means 
and also supplied to said terminal means; and said 
first processing means (10, 11) of said terminal 
means generates a transaction historical informa- 35 
tion which includes at least the designated storage 
region, the transaction data and the verified data 
and stores the transaction historical information in 
said first memory means, thereby a transaction 
being authenticatable from a correspondence of the 40 
verified data stored in said first memory means 
(12. 18) and the verified data stored in said second 
memory means. 

2. The transaction authentication system as 
claimed in claim 1 , characterized in that said first 45 
memory means (12) is connected to said terminal 
means (9, 20) and is provided exclusively for said 
terminal means. 

3. The transaction authentication system as 
claimed in claim 1, characterized in that said first so 
memory means (18) is coupled to said terminal 
means (9, 20) via communication means (15, 16). 

4. The transaction authentication system as 
claimed in any of claims 1 to 3, characterized in 

that said terminal means (9, 20) is constituted by a 55 
point-of-sales terminal (20). 

5. The transaction authentication system as 
claimed in any of claims 1 to 4, characterized in 




122 A2 14 

that said integrated circuit card 21v.5t) (farther 
comprises a terminal group (33, 52) which is coup- 
led to said second processing means (30; 54), said 
card reader/writer (70) of said terminal cmaans?^. 
20) reading/writing serial data with respect -to said 
integrated circuit card via said terminal group. 

6. The transaction authentication .system -as 
claimed in any of claims 1 to 5, characterized in 
that said second processing means (30, 54) of said 
integrated lu circuit card (1, 21, 51) generates a 
serial number as the verified data. 

7. The transaction authentication system as 
claimed in any of claims 1 to 5, characterized in 
that said second processing means (30, 54) of said 
integrated circuit card (1, 21, 51) generates an n- 
argument function as the verified data, where n = 
1.2 

8. The transaction authentication system as 
claimed in any of claims 1 to 5, characterized in 
that said second processing means (30, 54) of said 
integrated circuit card (1, 21, 51) generates as the 
verified data a value which is unique for each 
transaction. 

9. The transaction authentication system as 
claimed in any of claims 1 to 8, characterized in 
that said second processing means (30, 54) of said 
integrated circuit card (1, 21, 51) stores in said 
second memory means (3, 4, 31, 32, 58, 59, 60) 
only a verified data which is generated with respect 
to a last transaction. 

10. The transaction authentication system as 
claimed in any of claims 1 to 9, characterized in 
that said second memory means (3, 4, 31, 32, 58, 
59, 60) comprises a first memory (31, 59) for 
storing programs for carrying out processes on 
said second processing means (30, 54) and a 
second memory (32, 60) for storing data. 

11. The transaction authentication system as 
claimed in claim 10, characterized in that said first 
memory (31, 59) is constituted by a read only 
memory and said second memory (32, 60) is con- 
stituted by an electrically erasable programmable 
read only memory. 

12. The transaction authentication system as 
claimed in claim 10, characterized in that said 
second memory means (3, 4, 31, 32, 58, 59, 60) 
further comprises a third memory (58) for providing 
a work area for said second processing means (30, 
54). 

13. The transaction authentication system as 
claimed in claim 12, characterized in that said third 
memory (58) is constituted by a random access 
memory. 

14. The transaction authentication system as 
claimed in any of claims 1 to 13. characterized in 
that said second processing means (30, 54) in- 
cludes means for setting a lock flag when an au- 
thenticate code which is received from said termi- 
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nat means (9, 20) and corresponds to a selected 
service differs from an authenticate code stored in 
said second memory means (3. 4. 31 , 32. 58, 59. 
60) a predetermined number of times, said first 
lock flag which is set indicating that the selected s 
service is non-accessible. 

15. The transaction authentication system as 
claimed in claim 14, characterized in that said lock 
flag is set independently for each service. 

16. The transaction authentication system as 10 
claimed in any of claims 1 to 15, characterized in 

that said second processing means (30, 54) com- 
prises write means (5) for writing the transaction 
data which is received from said terminal means (9, 
20) into the designated storage region of said sec- rs 
ond memory means (3, 4, 31, 32. 58, 59, 60), 
renewing means (7) for renewing a transaction ex- 
ecution identifying information which is stored in 
said second memory means every time the trans- 
action data is received from said terminal means. 20 
and verified data generating means (6) for generat- 
ing the verified data based on the transaction ex- 
ecution identifying information read from said sec- 
ond memory means. 

17. The transaction authentication system as 25 
claimed in claim 16, characterized in that said 
verified data generating means (6) supplies the 
transaction execution identifying information which 

is read from said second memory means (3, 4, 31 . 

32, 58, 59. 60) as it is to said terminal means (9, so 

20) as the verified data. 

18. The transaction authentication system as 
claimed in any of claims 1 to 17, characterized in 
that said second memory means (3, 4, 31 , 32, 58, 

59. 60) stores a card identification information, said 35 
second processing means (30, 54) of said inte- 
grated circuit card (1. 21. 51) supplies the card 
identification which is read from said second mem-, 
ory means together with the verified data, and said 
first processing means (10, 11) of said terminal 40 
means (9, 20) generates the transaction historical 
information which also includes the card identifica- 
tion information. 
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FIG.6B 



TRANSACTION INFO 
WRITE COMMAND 



-<=> 



( TRANSACTION INFO + WRITE 
POSITION WITHIN CARD) 



S2I 



READ AUTHENTICATION 
COMPLETI ON INFO 



| READ LOCK FLAG "| " 



S22 



YES 



LOCKED STATE 
INFO 



NO 



AUTHENTICATION 
ERROR INFO 




NO 



<J= 

ACCESS QUALIFICATION 
ERROR INFO 



NO 



DESIGNATION 
ERROR INFO 



S23 



S24 



S25 



DEVELOP 

ACCESS 

QUALIFICATION 




TRANSFER 
INFO 




WRITE 
DATA 



DEVELOP 
TRANSACTION 
SERIAL NO. 

T 



INCREMENT 
TRANSACTION 
SERIAL NO. 



S3 1 



8NSDOCID: <EP 0363122A2J_> 



EP 0 363 122 A2 



FIG.6C 
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